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We propose a new class of quantum key distribution protocol, that ended up to be robust against 
photon number splitting attacks in the weak laser pulse implementations. This protocol comprises 
of BB84 protocol and SARG protocol, especially in aspects of controlling classical sifting procedures 
of two protocols. The protocol is more secure than both of BB84 protocol and SARG protocol, and 
the ultimate limit of robustness in the proposed protocol expands as well than both of them. 

PACS numbers: Valid PACS appear here 



I. INTRODUCTION 

Quantum Key Distribution (QKD) protocol is the only 
physically secure method for the distribution of a secret 
key between two distant partners (called Alice and Bob). 
The physical secure comes from the well-known facts that 
an attacker (called Eve) cannot measure an unknown 
quantum state without modifies the state itself, and she 
cannot duplicate the state and forward a perfect copy to 
Bob. The facts are proved by two principles, "Uncer- 
tainty principle" and "No cloning theorem" . BB84 pro- 
tocol 2,] is the first single-photon QKD protocols, which 
use a random string of signal states which, for example, 
can be realized as single photons in horizontal, vertical, 
right circular or left circular polarization states. 

In recent years, several long-distance implementations 
of BB84 protocol have been developed, that use pho- 
tons as information carriers and optical fibers as quantum 
channels. Most often Alice sends to Bob a coherent weak 
laser pulse in which she has encoded the bit. In weak 
pulses QKD system, there are the pulses which contains 
more than one photon with non-negligible probability. It 
implies that for these pulses Eve no longer limited by 
"No cloning theorem" , and she can perform new types 
of attacks to obtain the secret key without introducing 
errors. In such the attacks, there are Photon Number 
Splitting (PNS) attacks QhII. Although PNS attacks 
are far beyond today's technology, if one includes them in 
the security analysis, the consequences are dramatic and 
long-distance weak laser pulse QKD systems no longer 
have physical security. 

In this paper, we propose a new QKD protocol robust 
against PNS attacks, achieved by alternative of BB84 
protocol and SARG protocol |^. The protocol is more 
secure than both of BB84 protocol and SARG protocol, 
especially long-distance weak laser pulses QKD systems. 
The advantage of this protocol is that it is easy to imple- 
ment, just because it is composed of an existing quantum 
key distribution system, where the classical sifting pro- 
cedure is only changed which is easier than making a 
perfect single-photon source. 



II. PROPOSED PROTOCOL 

Our protocol uses four quantum states 

Q:={\+x),\~x),\+z),\~z)} 

such that |(ct;a;|w'z)| ~ l/\/2 with uj,uj' G {+,— } and 
|(-j-Q:| — a) I =0 with a £ {x, z}. The four states are also 
used by BB84 protocol and SARG protocol. | ± x) and 
|±z) denote the eigenvectors of and CTj, with eigenvalue 
±1, respectively. 

Our protocol contains following phases; 

1 Quantum communication phase 

Alice selects randomly one of four states \A) £ Q 
and sends \A) to Bob. Bob measures either ax or 
(Tz, and gets a state \B) g Q. We call \A) and \B) 
raw keys. 

2 Selecting annoucement phase 

Alice performs a procedure, in which she obtains 
with the probability a, and 1 with the probability 
1 — a, and she gets A e {0, 1}. The probability a 
is determined uniquely by the length of fiber and 
< a < 1. If A = 0, go to step 3-1 and 4-1, and 
otherwise, go to step 3-2 and 4-2. 

3- 1 Classical announcement phase (for A = 0) 

Alice announces publicly a pair of two states A = 
{\Ai),\A2)}, such that |^) e A and |(Ai|^2)| = 0. 
It means that Alice announces a pair of orthogonal 
states. 

4- 1 Sifting and decoding phase (for A = 0) 

When \B) G A, they get bits, called sifted keys, 
from \A) and \B) with the convention that | -f x) 
and I + z) code for and | — x) and | — z) code for 
1. 

When \B) ^ A, they discard their raw keys. 

3-2 Classical announcement phase (for A ~ 1) 

Alice selects randomly one of two pairs of states 
A = {\Ai),\A2)}, such that \A) e A and 
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|(Ai|A2)| = and announces publicly A to 

Bob. It means that Alice announces a pair of 
nonorthogonal states. 

4-2 Sifting and decoding phase (for A—X) 

When \B) A, Bob obtains \B') from \B), such 
that \B') e A and \{B\B')\ = 1/V2, and they get 
sifted keys from \A) and \B') with the convention 
that I ± x) code for and | ± z) code for 1. 
When \B) G A, they discard their raw keys. 

Remark 1 

BB84 is described as the proposed protocol with a = 1, 
and SARG is same as this protocol with a ~ 0. 



III. PHOTON NUMBER SPLITTING ATTACKS 

In weak pulses QKD system, Alice sends to Bob a weak 
laser pulse in which she has encoded the bit. Each pulse 
is a priori in a coherent state of weak intensity, which can 
be rewritten as a mixture of Fock states, Xln>oP"l"')("'l' 
with the number n of photons distributed according to 
the Poissonian statistics of mean /x, p„ — /n\ 1] 3] ^. 

Consider now the implementation of the proposed pro- 
tocol with weak pulses. Bob's detector is triggered with 
probability, taking into account intensities of weak laser 
pulses, channel losses and imperfect detection efficien- 
cies. Then, in the absence of Eve, Bob's raw detection 
rate, which is the probability that he detects a photon 
per pulse sent by Alice, is given by 

R^amijlp) = ^Pn{l - (1 - mipT} - VdVpf^- 
n>l 

where Tyd is the quantum efficiency of a detector and rjp 
is the channel transmission. 

In this case, if we endow Eve with unlimited techno- 
logical power within the laws of quantum physics, the 
following attacks, named a storage attack and an In- 
tercept Resend with Unambiguous Discrimination attack 
(shortly an IRUD attack)^ are possible in principle (5j. 
(We will explain details of these attacks later.) If Alice 
and Bob are connected by a lossy channel {r^p < 1) and 
Eve has a lossless channel (rjp = 1) which connects Alice 
and Bob, Eve performs either attacks on a fraction q of 
pulses, that is, she tries as follows: 

1. Eve performs a procedure, in which she obtains 
with the probability q and 1 with the probability 
l-q. 

2. When she gets 1, she only forwards the pulse to 
Bob using her lossless channel. When she gets 0, 
she performs one of the two PNS attacks. 

The attack probability q depends on both a type of her 
attack and the length of lossy channel, such that Alice 
and Bob do not notice any change in the expected raw 
rate and Eve remains undetected. 



A. Storage Attack 

We will explain the procedure of a storage attack Q 
in the following. 

1. Eve counts the number of photons in the pulse, us- 
ing photon number quantum nondemolition mea- 
surement. If the pulse contains only one photon. 
Eve discards the photon. 

2. When Eve detects that it is a multiphoton pulse, 
she keeps one of the photons in a quantum memory 
and forwards the remaining photons to Bob, using 
a perfectly transparent quantum channel, 7]p = 1. 

3. By the information in classical announcement 
phase. Eve correspondingly measures the photon 
stored in her quantum memory. 

When Eve applies a storage attack on a fraction q of 
the pulses, Bob's raw detection rate is 

R^{q) - (l-<z)w + 'zI]Pn{l-(l-'7dr^'} 

ri>2 

- - q)vdf^ + qvdP2- 

By Lemma n her mutual information of the key is 



PVdP2 



where 




with H{x) — — xlog2 X + {1 — x) log2(l — x). 
Lemma 1 ([4j) 

Eve is now faced with the problem of detecting two states 
(|a;) and having an overlap |(a;|y)| = x- Then she ap- 
plies the measurement maximizing her information, ob- 
taining 

I{X) = 1 - H{P) 



where P = 1(1 + ^1 - x^)- 

Given i]p, Eve chooses q such that i?raw('7p) — R^iq) 
and her mutual information of the sifted key is 



ItM = ivp-' - 1) 



P2' 



Intercept Resend with Unambiguous 
Discrimination Attaclt 



An encoded pulse containing three photons is rewritten 
as one of the four states 

1*2), 1*3), 1*4)} 

= {I + x)®M - a;)®M z)®M - . 
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In this case, there exist four orthogonal states of three 
qubits, |<i>i), . . . , |$4), such that = kj^- There- 

fore, we can perform a measurement AA, that distin- 
guishes unambiguously among j^"!), . . . , |5'4), with a 
probability of success Pok = 1/2. 

We will explain the procedure of an IRUD attack ^ 
in the following. 

1. Eve measures the number of photons and discards 
a pulse containing less than three photons. 

2. On the pulse containing at least three photons, Eve 
performs the measurement AA. 

3. If the result is conclusive, she sends a new photon 
prepared in the good state to Bob using a perfectly 
transparent quantum channel. If not conclusive, 
Eve discards the result and the pulse. 

When Eve applies the IRUD attack on a fraction p of 
the pulses, Bob's raw detection rate and Eve's mutual 
information are 

R\q) = (1 - q)7?dM + gPok ^P„{1 - (1 - %)"~'} 

n>3 



(1 - (7)7?dM + qVdPokPS 



and 



qVdPokPa 



(1 - q)ridfJ. + qridPokP3 ' 



When Eve chooses q such that RravjiVp) — R^{q)i her 
mutual information of the sifted key is 

ItAVp) = iVp-' - 1) 



iPokPs) - 1 



IV. SECURITY AGAINST PNS ATTACKS 

In this section, we evaluate security against PNS at- 
tacks with QBER = 0. In proposed protocol, the sifted 
key rate, which is the probability that Alice and Bob 
share a sifted key per a pulse, is given by 

Rsift{a, 'Hp) ~ • ryd?7pAt- 

It is easy to see that security against PNS attacks will 
be decreasing the sifted key rate. Therefore, we shall 
evaluate a security under the condition that a sifted key 
rate is constant regardless of the selecting probability a 
0. Then, we change p. to 



1 



Mb 



where /is is the mean photon number when using BB84 
protocol. In this paper, we use a typical value =0.1. 



Eve's mutual information of the sifted key when she 
performs either of two PNS attacks is resprctively 



/^(a,77p) = (77p-i-l) 



1 



-J^ 1 



r 



and 



e '^ci 



- 1 



From these equations, we have the following theorem: 
Theorem 1 

Consider Alice and Bob share a secret key using weal 
laser pulse QKD system and our proposed protocol. They 
choose the selecting parameter a (0 < a < 1) to minimize 
Eve's mutual information of the shared key. 

When Eve performs only the storage attack, the best 
paramter is a = 0, that is, they use SARG protocol. On 
the other hand, when Eve performs the IRUD attack, the 
best is a = 1, that is, they use BB84 protocol. 

Proof. 

We will prove that the following equations: 
d 

—I^ia,7^p) > 



1 1' (a 



da (^'^pXO- 
We can calculate that 



where /(a) 



Suppose that 

.(«) = |^/f-/(a)-/f-|j/(«) 



(1-L- 



1 



(a + (1 - ajL )- 



where ^l^U (^) and ^Xa' = ^Pa < 0. 
Considering L"^ as variable, we can get 

e~^>a^ - 2fia + 2(1 - a)fla'{l - Ma) 



dLS 



dia) = 



< 



< 



< 



2{Ma^ - Ma + (1 - a)Ma'(l ^ Ma)} 

e-'^-Ma 

2{^a^ - Ma + (1 - Ma)} 

e-z^-Ma 

'^•IJ.aip.a - 1) 



e ^°Ma 



< 
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FIG. 1: Security against PNS attacks with QBER = 0. In 
the area I, Eve performs the storage attack and obtains an 
information about the sifted key. In the area II, Eve's attacks 
is shifted to the IRUD attack. 




By ?7p ^ — 1 > 0, we have ^/■^(a, 
Next, suppose that 



d 



-/V..) = (.P--1)--^ 



where h{a) 
Then 
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d_ 

da 



h{a) 



U^ia'{pa - 2) 



because fj,a' < and fia < 2. 
Therefore, ^l\a,rip) < 0. 



> 



□ 



At Figure n we show Eve's maximal mutual informa- 
tion of a sifted key when she performs either of two PNS 
attacks, as a function of the communication distance. 
We use typical values rjp — 10^''/^*', p = Q!^[dB] and 
a — 0.25[dB/km], where / is the length of the fiber. We 
say that, in the case of / > 100km, the proposed proto- 
col with a — 0.5 is better than SARG protocol because 
/'(0.5,77p) </^(l,r?p). 

Second, consider that Alice and Bob choose a to min- 
imize Eve's mutual information when she performs the 
most convenient PNS attack, in which her mutual infor- 
mation is 

I^{a,T]p) = max{/'^(a,77p),/^(a,77p)}. 



FIG. 2: Security against PNS attacks when Alice and Bob 
choose an optimal a. lfl< 87.5km, they only use a = 0. If Z > 
87.5km, they increase a shown in the dotted line. Comparing 
with Figure^ our protocol is more secure against PNS attacks 
than both of two protocols. 



By Figure 121 we can say that, by choosing an optimal a, 
the ultimate limit of robustness is shifted from 100km, 
which is the ultimate limit of SARG protocol, to 125km, 
which is the longest record among experimental QKD 
systems in the world. 



Therefore, because < 0.5, it can be shown that 



]{a) > 5'(a)|iS^o.5 

fla{2 - e-f'-fla) - 2(1 + a)Ha'{l - f^a) 



> 



2e-''"/Xa2 

Ma(l - Ma) + (1 + a)Ma'(l - Ma) 







where (1 -I- «)/!„' = -(1 -f «) = -Ma 
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